Challenge-response: the use of incorrect responses in validating identity

American Express recently added these "3 questions" to my account, and it made me very mad. For one thing, their "request" was persistent; it eventually wouldn't let me log in until I provided them, so they were really a requirement. "For security", of course, even though there's evidence [1] they make security worse.<p>To make it more insulting, though, I discovered that the implementation was very dumb:<p>1. The questions were fixed, and extremely stupid. Any of them could probably be guessed by someone with a few minutes to Google.<p>2. The question lists were too short, making it difficult to pick a really hard-to-guess answer.<p>3. The lists were unique to <i>each question</i>. So if I saw 2 questions I liked in the first slot, I could choose only one of them, and if the 2nd slot had completely inane options, I had to choose one of the inane options.<p>4. The last question <i>didn't even offer options that applied to me</i>. So suddenly, for "security", I had to remember which unrelated question I selected, and which made-up response I provided. Thanks a hell of a lot, AE.<p>[1] <a href="http://www.schneier.com/blog/archives/2009/05/secret_question.html" rel="nofollow">http://www.schneier.com/blog/archives/2009/05/secret_questio...</a>

I usually give a different email address to each service that I sign up to, so I can tell if they are selling my address, but I never thought of giving a different mother's maiden name so I can detect phishing. It's a reasonable strategy, but I have trouble remembering the name of my elementary school, my favorite color (I dont care), the make of my first car (my parent's or the one I actually paid for) ... However, I will trythe strategy of giving a couple of wrong answers to weed out the fakes.